aws-sdk shared-ini-file-loader INI File Parser injection

EntryeditHistoryDiffjsonxmlCTI

A vulnerability was found in aws-sdk shared-ini-file-loader (version unknown). It has been classified as critical. Affected is some unknown processing of the component INI File Parser. Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Field01/19/2021 02:35 PM02/15/2021 10:03 AM02/15/2021 10:06 AM
vendoraws-sdkaws-sdkaws-sdk
nameshared-ini-file-loadershared-ini-file-loadershared-ini-file-loader
componentINI File ParserINI File ParserINI File Parser
cwe74 (privilege escalation)74 (privilege escalation)74 (privilege escalation)
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifierSNYK-JS-AWSSDK-1059424SNYK-JS-AWSSDK-1059424SNYK-JS-AWSSDK-1059424
urlhttps://snyk.io/vuln/SNYK-JS-AWSSDK-1059424https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
nameUpgradeUpgradeUpgrade
patch_urlhttps://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
cveCVE-2020-28472CVE-2020-28472CVE-2020-28472
date1611010800 (01/19/2021)1611010800 (01/19/2021)1611010800 (01/19/2021)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore7.57.57.5
cvss2_vuldb_tempscore7.56.56.5
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore7.37.07.0
cvss3_meta_basescore7.37.38.5
cvss3_meta_tempscore7.37.08.2
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned16051356001605135600
cve_nvd_summaryThis affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cve_cnaSnyk
cvss2_nvd_basescore7.5
cvss3_nvd_basescore9.8

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!